Tarun Thakur, Co-Founder and CEO of Veza – Interview Series

Tarun Thakur, Co-Founder and CEO of Veza, is a former executive at Data Domain, Veritas, and IBM, bringing decades of experience in building enterprise infrastructure companies. He co-founded Veza to address the growing crisis of identity sprawl, with a focus on providing clarity and control in complex hybrid and cloud-native architectures.

Veza is an identity security platform purpose-built for modern, multi-cloud environments, enabling organizations to manage and enforce access rights across applications, cloud platforms, and data systems with unmatched visibility and precision. Backed by over $125 million in funding—including a $110 million Series C led by Accel with participation from Sequoia Capital, GV, and Norwest Venture Partners—Veza serves leading enterprises such as Blackstone, Autodesk, SoFi, Wynn Resorts, and S&P Global to prevent breaches, mitigate insider risk, and ensure compliance.

You’ve successfully co-founded multiple enterprise infrastructure companies over the years. What inspired you to launch Veza, and how did your past experiences at Datos IO, Data Domain, and IBM Research shape your vision for identity-first security?

Every company I’ve built has tackled a foundational blind spot in enterprise infrastructure—data protection, resilience, scale. But identity was always the missing link. At Datos IO, we helped protect critical data across cloud-native apps, but we constantly ran into a deeper issue: we didn’t know who had access to what data, or why. That’s a systemic failure—not of storage or compute—but of access governance.

I founded Veza because I saw a future where identity would be the primary attack surface. And we’re living in that future now. The industry had spent 20 years pretending IAM was a checkbox problem. It’s not. It’s a continuous control plane. It’s where security, compliance, and productivity all collide. Our mission is to make access not just visible, but actionable.

Just look at Palo Alto’s acquisition of CyberArk. It’s the industry’s clearest signal yet that identity isn’t a back-office function—it’s now core to enterprise security strategy. But even with that deal, the market is still missing what modern enterprises need most: real-time visibility into what identities can do, across every app, system, and data set. That’s the gap Veza fills.

We’re entering a new era where AI agents are not just tools but actors—autonomously accessing systems, data, and applications. How is this shift challenging the traditional paradigms of identity and access management (IAM)?

IAM was designed for humans. Agentic AI breaks that model completely. These are autonomous entities making decisions, generating output, chaining workflows, triggering downstream access—at machine speed. Yet most IAM tools still ask: “What group is this identity in?” That’s laughable.

The paradigm shift is this: access is no longer provisioned manually—it’s emergent, dynamic, and contextual. You can’t manage it with static roles and stale entitlements. You need real-time access intelligence. You need systems that understand what an AI agent can do across every system—not just what it is “allowed” to do in theory.

Veza has been vocal about the rising risk of non-human identities—AI agents, service accounts, bots. How do you differentiate between legitimate automation and risky over-permissioning in dynamic environments like DevOps or finance?

That’s the $10 billion question. Most orgs can’t even inventory their non-human identities, let alone govern them. Veza flips the model: we don’t start with the identity—we start with the action. Who or what can read this S3 bucket? Who can delete rows in this production database?

In DevOps or finance, automation is essential. But so is constraint. You need fine-grained visibility into what those identities can do right now, not what some IAM ticket said six months ago. And you need to be able to shut it down instantly when that access becomes toxic. That’s Veza’s superpower.

As enterprises integrate AI into critical workflows, real-time enforcement of least-privilege access becomes essential. Can you walk us through how Veza enables this level of granularity across hybrid and multi-cloud infrastructures?

Granularity without automation is useless. Veza connects directly to the control plane—whether it’s AWS, Salesforce, Snowflake, or SAP—and builds a graph of every permission, every role, every action available to an identity. Human or machine. On-prem or cloud. It’s one unified access fabric.

Then we layer in a business context—who owns the app, when was it last used, is it part of a critical process. That lets you create policies like: “No GenAI agent can access PII unless it’s explicitly approved and logged.” And if something breaks that rule, Veza can alert, revoke, or remediate in real time. That’s how you enforce least privilege at scale.

You’ve described Veza as providing “access intelligence.” What does that mean in practical terms, and how is it different from traditional access control solutions or identity governance platforms?

Access intelligence means knowing, at any moment, what every identity—human or non-human—can do, where, and why. Traditional tools tell you what a user has been given. We tell you what they can actually do right now, and whether that’s safe.

IGA tools do governance on a quarterly basis. Veza does governance continuously. PAM tools focus on a tiny subset of privileged accounts. We cover every identity, every app, every entitlement. And we do it with the context to make smart decisions—not just log noise.

Looking at the future of Agentic AI, how should security architectures evolve to keep up? What capabilities must organizations start investing in today to avoid compliance failures or internal breaches tomorrow?

Security teams must stop thinking in terms of users and start thinking in terms of actions. AI agents don’t clock in and out. They don’t fill out access request forms. They spin up, act, and disappear.

You need architectures that are access-aware, real-time, and control-plane adjacent. That means:

• Continuous permission monitoring
• AI behavior baselining
• Autonomous access revocation
• Tamper-proof auditability across all AI interactions

This isn’t optional. Every AI agent is a potential insider threat—and the compliance frameworks are catching up fast. If you can’t explain who did what and why, you’re going to fail audits, lose trust, or worse.

Veza counts major brands like Autodesk, Blackstone, and S&P Global among its customers. What common patterns or mistakes do you see even the most mature organizations making when it comes to identity governance?

The most common mistake? Assuming someone else owns it. IAM is often orphaned between security, IT, compliance, and engineering. That fragmentation kills accountability.

Another issue is role sprawl—especially in mature orgs. Over time, no one removes access because it’s risky. So instead of least privilege, you get maximum exposure.

And finally, most orgs think access reviews are a control. They’re not. They’re a band-aid. The real control is preventing toxic access in the first place. Veza helps teams move from detective to preventive.

The company has raised over $125 million with backing from Accel, Sequoia, and GV. What does that level of investor support say about the urgency of solving identity in the AI era—and how do you plan to use this momentum to scale Veza’s impact?

It says we’re solving a generational problem—and we’re doing it at exactly the right time. Identity is now the front door, the firewall, and the weakest link all at once. And AI just kicked that door wide open.

Our investors understand that Veza isn’t just another IAM tool. We’re building the control plane for access in the age of AI. We’re using this momentum to accelerate platform expansion, deepen our ecosystem integrations, and scale globally—especially in regulated sectors like financial services, healthcare, and government.

You hold 18 patents in data security, storage, and management. Are there any areas of innovation within Veza that you believe will set new standards for how the industry approaches access governance over the next decade?

Yes—two in particular.

First, our Access Graph: it’s a universal model that maps identities to permissions to actions across any system, in real time. That’s foundational for least privilege, AI governance, and insider threat detection.

Second, autonomous remediation. We’re investing heavily in self-healing access environments—where violations are detected, contextualized, and corrected without human intervention. That’s how you govern AI with AI.

Over the next decade, access governance will shift from reactive to autonomous. Veza will be the engine driving that shift.

Lastly, you’ve said “talent has no boundaries.” What advice would you give to technical founders or engineers building next-generation security or AI infrastructure companies today?

Build for the edge cases, not the happy path. The future is messy—multi-cloud, multi-agent, multi-polar. Your architecture has to assume chaos.

Second, don’t be afraid to challenge sacred cows. The security industry is full of legacy assumptions— “just-in-time access is enough,” “humans are the problem,” “audit means Excel.” Break those models.

Finally, hire people who are obsessed with first principles. Tools change. Paradigms shift. But clarity of thought and mission wins every time.

And yes—talent has no boundaries. Build global, build diverse, and build for impact.

Thank you for the great interview, readers who wish to learn more should visit Veza.